Re: Moving from type forward to type static-stub
On 20.09.12 19:49, Oscar Ricardo Silva wrote: The current servers are configured to forward any queries for our domain straight to our authoritative servers: I've been reading about the new zone type: static-stub and believe this may work better for us. If I'm correct, it will send non-recursive queries to the listed servers and will honor delegations. I've tested this configuration in our lab and it all appears to be working. With our configuration, are there any downsides to changing from forward zones to static-stub? Any gotchas I should know about? At this time we don't have dnssec validation turned on. We tried it and had too many problems with misconfigured domains not resolving properly so backed out. typo forward supports forward first which is good if you have e.g. local versions of blacklists but want to use standard resolution when your local servers are unreachable. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Improved SSL Error Logging [RT #29932]
BIND 9.7.7, 9.8.4 and 9.9.2 have improved OpenSSL error logging. Unfortunately, our logs are now filling up with RSA_verify failed messages. Yeah, oops, we made that one too noisy. You're not the first one who's noticed. :/ How does one go about tracking down the source of these failures and correcting them? (We are running OpenSSL 1.0.1c.) In BIND9, in lib/dns/opensslrsa_link.c, change this: return (dst__openssl_toresult2(RSA_verify, DST_R_VERIFYFAILURE)); to this: return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query (cache) 'domain.com/AAAA/IN' denied
On 10/10/12 9:41 PM, Árni Birgisson wrote: You have all those allow-*, but in your previous email you have recursion no; which you would have to change to recursion yes;. When you have done this, make sure to restrict it with the allow-recursion so you do not have an open resolver. thanks to you too but same result. options { version ; directory /etc/namedb; pid-file/var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; allow-query-cache { any; }; allow-query { any; }; recursion yes; // allow-recursion { any; } allow-transfer { 127.0.0.1; }; }; # dig @ns2. domain.com ; DiG 9.4.2 @ns2 domain.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 55754 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;domain.com.IN A ;; Query t i actually have another machine that has bind 9.4.2 and it works as desired without all this options. both machines a meant to be authoritative for domain.com... anything else i can try? thanks... -- Arni - Original Message - From: kalin ka...@el.net To: Lyle Giese l...@lcrcomputer.net Cc: bind-users@lists.isc.org Sent: Thursday, October 11, 2012 1:34:24 AM Subject: Re: query (cache) 'domain.com//IN' denied On 10/10/12 9:17 PM, Lyle Giese wrote: On 10/10/12 20:01, kalin wrote: hi all... # uname -a NetBSD ns2. 5.1 NetBSD 5.1 ... # named -v BIND 9.5.2-P2 i get these in the log: Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query (cache) 'domain.net//IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query (cache) 'domain.net/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query (cache) 'www.domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query (cache) 'domain.net//IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query (cache) 'domain.net/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query (cache) 'www.domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query (cache) 'www.domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query (cache) 'domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query (cache) 'domain.org/A/IN' denied . all the domain.net, .org, .com above exist. if i do a dig off a local machine they resolve fine. if the dig is out of this network i get a log entry as above. at this point the named.conf has: options { version ha-ha-ha; directory /etc/namedb; pid-file/var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; allow-query-cache { any; }; allow-query { any; }; recursion no; allow-transfer { 127.0.0.1; }; }; i'm not sure where to look next this machine is on a verizon fios if that really makes any difference... where should i look? thanks These are queries that require recursion and you have that turned off. If you don't want a publicly abused dns server, turn recursion on and restrict recursion to your LAN addresses(Allow-recursion). thanks.. but not good. now i have: allow-query-cache { any; }; allow-query { any; }; allow-recursion { any; } and still those logs. a dig from the outside gets refused... Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query (cache) 'domain.com/AAAA/IN' denied
On 10/10/12 20:52, kalin wrote: On 10/10/12 9:41 PM, Árni Birgisson wrote: You have all those allow-*, but in your previous email you have recursion no; which you would have to change to recursion yes;. When you have done this, make sure to restrict it with the allow-recursion so you do not have an open resolver. thanks to you too but same result. options { version ; directory /etc/namedb; pid-file/var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; allow-query-cache { any; }; allow-query { any; }; recursion yes; // allow-recursion { any; } allow-transfer { 127.0.0.1; }; }; # dig @ns2. domain.com ; DiG 9.4.2 @ns2 domain.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 55754 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;domain.com.INA ;; Query t i actually have another machine that has bind 9.4.2 and it works as desired without all this options. both machines a meant to be authoritative for domain.com... anything else i can try? thanks... -- Arni - Original Message - From: kalin ka...@el.net To: Lyle Giese l...@lcrcomputer.net Cc: bind-users@lists.isc.org Sent: Thursday, October 11, 2012 1:34:24 AM Subject: Re: query (cache) 'domain.com//IN' denied On 10/10/12 9:17 PM, Lyle Giese wrote: On 10/10/12 20:01, kalin wrote: hi all... # uname -a NetBSD ns2. 5.1 NetBSD 5.1 ... # named -v BIND 9.5.2-P2 i get these in the log: Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query (cache) 'domain.net//IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query (cache) 'domain.net/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query (cache) 'www.domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query (cache) 'domain.net//IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query (cache) 'domain.net/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query (cache) 'www.domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query (cache) 'www.domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query (cache) 'domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query (cache) 'domain.org/A/IN' denied . all the domain.net, .org, .com above exist. if i do a dig off a local machine they resolve fine. if the dig is out of this network i get a log entry as above. at this point the named.conf has: options { version ha-ha-ha; directory /etc/namedb; pid-file/var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; allow-query-cache { any; }; allow-query { any; }; recursion no; allow-transfer { 127.0.0.1; }; }; i'm not sure where to look next this machine is on a verizon fios if that really makes any difference... where should i look? thanks These are queries that require recursion and you have that turned off. If you don't want a publicly abused dns server, turn recursion on and restrict recursion to your LAN addresses(Allow-recursion). thanks.. but not good. now i have: allow-query-cache { any; }; allow-query { any; }; allow-recursion { any; } and still those logs. a dig from the outside gets refused... Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Maybe silly question, but after you changed your named.conf, did you restart named? Are there any other named.conf on your system? (your named may be reading a different named.conf other than the one you are editing.) Lyle Giese
Re: query (cache) 'domain.com/AAAA/IN' denied
Make sure you are editing the named.conf named is using. Change the version string, reload the server and check that the version reported matches what is in named.conf. If that doesn't identify/fix the problem post, to the list, the complete named.conf along with any included files (x out the tsig secrets) and a list of the zones the server is supposed to serve. Problems like this are almost always the result of something simple that is hidden because people are scared to post the full named.conf so they post a overly redacted version. The only thing that really needs to be redacted are the shared secrets. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query (cache) 'domain.com/AAAA/IN' denied
On 10/10/12 10:17 PM, Lyle Giese wrote: On 10/10/12 20:52, kalin wrote: On 10/10/12 9:41 PM, Árni Birgisson wrote: You have all those allow-*, but in your previous email you have recursion no; which you would have to change to recursion yes;. When you have done this, make sure to restrict it with the allow-recursion so you do not have an open resolver. thanks to you too but same result. options { version ; directory /etc/namedb; pid-file/var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; allow-query-cache { any; }; allow-query { any; }; recursion yes; // allow-recursion { any; } allow-transfer { 127.0.0.1; }; }; # dig @ns2. domain.com ; DiG 9.4.2 @ns2 domain.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 55754 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;domain.com.INA ;; Query t i actually have another machine that has bind 9.4.2 and it works as desired without all this options. both machines a meant to be authoritative for domain.com... anything else i can try? thanks... -- Arni - Original Message - From: kalin ka...@el.net To: Lyle Giese l...@lcrcomputer.net Cc: bind-users@lists.isc.org Sent: Thursday, October 11, 2012 1:34:24 AM Subject: Re: query (cache) 'domain.com//IN' denied On 10/10/12 9:17 PM, Lyle Giese wrote: On 10/10/12 20:01, kalin wrote: hi all... # uname -a NetBSD ns2. 5.1 NetBSD 5.1 ... # named -v BIND 9.5.2-P2 i get these in the log: Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query (cache) 'domain.net//IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query (cache) 'domain.net/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query (cache) 'www.domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query (cache) 'domain.net//IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query (cache) 'domain.net/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query (cache) 'www.domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query (cache) 'www.domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query (cache) 'domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query (cache) 'domain.org/A/IN' denied . all the domain.net, .org, .com above exist. if i do a dig off a local machine they resolve fine. if the dig is out of this network i get a log entry as above. at this point the named.conf has: options { version ha-ha-ha; directory /etc/namedb; pid-file/var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; allow-query-cache { any; }; allow-query { any; }; recursion no; allow-transfer { 127.0.0.1; }; }; i'm not sure where to look next this machine is on a verizon fios if that really makes any difference... where should i look? thanks These are queries that require recursion and you have that turned off. If you don't want a publicly abused dns server, turn recursion on and restrict recursion to your LAN addresses(Allow-recursion). thanks.. but not good. now i have: allow-query-cache { any; }; allow-query { any; }; allow-recursion { any; } and still those logs. a dig from the outside gets refused... Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Maybe silly question, but after you changed your named.conf, did you restart named? yea. via /etc/rc.d/named stop|start checked with ps that is not really running. Are there any other named.conf
Re: query (cache) 'domain.com/AAAA/IN' denied
On Oct 10, 2012, at 7:22 PM, kalin wrote: if i add a zone record to the named.conf i'm editing and do a dig on it, locally i get it fine: $ dig @ns2. domain.com ; DiG 9.8.1-P1 @ns2. domain.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 52275 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 No you don't. You're getting it from the other computer. No 'aa' flag. Your zone is not loading for some reason. The reason it works locally and not remotely is, the local query is in the default allow-recursion ACL, but the remote host is not. The recursion settings are a red herring. Solve the missing 'aa' flag. Chris Buxton BlueCat Networks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users